New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple XSS Vulnerabilities #596
Comments
Bug BountyWe have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr Automatically generated by @huntr-helper... |
|
2 years ago, big warning! |
|
What remains to be done regarding this issue?
…On Thu, Jul 2, 2020, 1:54 AM Neustradamus ***@***.***> wrote:
2 years ago, big warning!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#596 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD24K7INDSMAOSZNE2HKSC3RZQOIHANCNFSM4OBOJBPA>
.
|
|
@timothygwebb - we have received a fix through https://huntr.dev which we are currently reviewing. We will look to merge a fix in the next week or so (418sec#1). Cheers! |
|
🛠️ A fix has been provided for this issue. Please reference: 418sec#1 |
|
It has been merged, thanks @huntr-helper! @jonahbohlmann @TuxMay @rubenmdh @ko-n @Hbkhan @echoIamnoob @huntr-helper @timothygwebb @JamieSlome @fordnox: Do you confirm that now the master branch is secure? Linked to: |
There are multiple XSS vulnerabilities (support ticket, forum topics, and guest inquiries mentioned in #526 ). In this issue, I would demonstrate the Stored XSS that exists in a support ticket!
Method to reproduce :
1- Go to support and click on create a ticket
3- In the message field enter
<script>alert('test');</script>4- Click on Submit
if we look in
src/bb-modules/Support/html_clientfile we do find the following javascript code which is responsible for making the API request. The javascript serialize the input fields and send a post request toexample.com/index.php?_url=/api/client/support/ticket_createThe request is received by
ticket_createfunction in/src/bb-modules/Support/Api/Client.php. The only check in this function exists is for the required parameters.Once it verifies that the provided data contains the required parameters, it combine the request with client identity and helpdesk id and sends its request to
ticketCreateForClientfunction insrc/bb-modules/support/service.phpIt stores the subject and other ticket info in
support_tickettable in database and sends thecontenttomessageCreateForTicketfunction.The function basically stores the
contentvalue (which is the ticket body) insupport_ticket_messagetable in the database!which makes it stored cross-site scripting
Reposting this from my original account
OLD Post Issue#526
The text was updated successfully, but these errors were encountered: